
CLAIMS 

1 . A system for detecting intrusions on a host, comprising: 

a) a sensor for collecting information including events and timestamps from a 
logfile; and 

5 b) an analysis engine configured to identify backward and forward time steps in the 
logfile, correlate the time steps with events, and assign a suspicion value to an 
event. 

2. The system as recited in claim 1, wherein the analysis engine is configured to identify 
10 a time step as forward if a timestamp of an entry in the logfile is later than an 

preceding entry in the logfile, and identify a time step as backward if a timestamp of 
an entry in the logfile is earlier than an preceding entry in the logfile. 

3. The system as recited in claim 1, wherein the analysis engine is further configured to 
15 use expected activity level in the directory to determine the suspicion value. 

4. The system as recited in claim 1, further comprising a second sensor for collecting 
information including events and timestamps from a second logfile. 

20 5. The system as recited in claim 4, wherein the analysis engine is configured to 
correlate a time step in the logfile with an event in the second logfile. 
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6. The system as recited in claim 1, wherein the analysis engine is further configured to 
filter out expected time steps fi'om fiirther analysis. 

7. The system as recited in claim 6, wherein the analysis engine is configured to filter 



adjustments. 

8. The system as recited in claim 6, wherein the analysis engine is fiirther configured to 
compute an expected time drift resulting from a Network Time Protocol adjustment, 



9. The system as recited in claim 8, wherein the analysis engine is fiirther configured to 
compute a standard deviation of the expected time drift. 

15 10. The system as recited in claim 9, wherein the analysis engine is fiirther configured to 
label time steps with weighted distributions. 

11. The system as recited in claim 1, fiirther comprising a user interface, and wherein the 
analysis engine is configured, upon correlating a time step to a record of an event in a 

20 logfile, to present the record to a user for labeling as to suspicion value. 

12. The system as recited in claim 11, wherein the analysis engine is fiirther configured to 
propagate the suspicion value to related events. 



5 



out expected backward time steps by correlating them to Network Time Protocol 



10 



and compare a forward time step in the logfile with the expected time drift. 
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13. A system for detecting intrusions on a host, comprising: 

a) a filesystem scanner configured to examine timestamps of files and directories in 
a filesystem; and 

5 b) an analysis engine configured to compare timestamps of a directory and of files in 
the directory, and assign a suspicion value to the directory or file if the 
timestamps are inconsistent. 

14. The system as recited in claim 13, wherein the analysis engine is configured to treat 
10 timestamps as inconsistent if the timestamp of the directory is later than the 

timestamp of any file in the directory. 

15. The system as recited in claim 13, fiirther comprising an archival source, wherein the 
filesystem scanner is configured to examine timestamps of files and directories fi-om 

15 the archival source, and the analysis engine is fiirther configured to compare the 

timestamps from the archival source to the timestamps of the directory and files in the 
directory. 
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16. A method for detecting intrusions on a host, comprising the steps of: 

a) collecting information including events and timestamps from a logfile; 

b) identifying backward and forward time steps in the logfile; 

c) correlating the backward and forward time steps with events; and 
5 d) assigning a suspicion value to an event. 

17. A computer program product for detecting intrusions on a host, the computer program 
product being embodied in a computer readable medium having machine readable 
code embodied therein for performing the steps of: 

10 a) collecting information including events and timestamps from a logfile; 

b) identifying backward and forward time steps in the logfile; 

c) correlating the backward and forward time steps with events; and 

d) assigning a suspicion value to an event. 

15 
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